Security(Cyber Security) is an essential requirement for any IoT platform or devices or end users and the communication infrastructure. In order to achieve or design best possible security solutions, to avoid some external entity or hacker gaining access to your IoT device or infrastructure, every architect or system designer should do Threat Modeling exercise. As the system is designed and architected, we can minimize the exposure to external threats to our IoT architecture.

With this article I am trying to provide you relevant bits and pieces essential for your understanding:

What is Cyber Security?

As per WhatIs.com – “Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurity and physical security.”

To make it more clear and simpler – Cyber Security also known as Computer security, or IT security, is the protection of computer systems from the theft or damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.Cyber security includes controlling physical access to the hardware, as well as protecting against harm that may come via network access, data and code injection.

What is Threat Modeling?

The objective of threat modeling is to understand how an attacker might be able to compromise a system and then make sure appropriate mitigations are in place. Threat modeling forces the design team to consider mitigations as the system is designed rather than after a system is deployed. This fact is critically important, because retrofitting security defenses to a myriad of devices in the field is infeasible, error prone and will leave customers at risk.

[Content courtesy: Microsoft]

In order to optimize security best practices, it is recommended that a proposed IoT architecture be divided into several component/zones as part of the threat modeling exercise.

Relevant Important Zones for an IoT architecture :

Device,

Field Gateway,

Cloud gateways, and

Services.

Each zone is separated by a Trust Boundary, which is noted as the dotted red line in the diagram below. It represents a transition of data/information from one source to another. During this transition, the data/information could be subject to Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege (STRIDE).

[Content courtesy: Microsoft]

This diagram like below provides a full 360 view you any proposed solution:

Summary of important Sections/Zones:

The Device Zone – represents a thing or device where device to device or local user physical access is possible.

The Field Gateway Zone – Field gateway is a device/appliance (Embedded/Hardware) or some general-purpose software that runs on a Physical Server, and acts as communication enabler and potentially, as a device control system and device data processing hub.

The Cloud Gateway Zone – Cloud gateway is a system that enables remote communication from and to devices or field gateways from several different sites across public network space, typically towards a cloud-based control and data analysis system, a federation of such systems.

The Services Zone –A “service” is any software component or module that is interfacing with devices through a field- or cloud gateway for data collection and analysis, as well as for command and control. Services are mediators.

Once we identified threat boundaries we should be able to provide fail safe security measures each associated zones, to meet the business needs and global information exchange and data compliance standards. It is also important to design the product from the start with security in mind because understanding how an attacker might be able to compromise a system helps make sure appropriate mitigations are in place from the beginning.

In next session, we will go through Microsoft’s IoT Reference architecture and associated security measures been put together across each zones.

Microsoft Azure IoT Suite Provisioned solutions will help you create your own fully integrated solutions tailored for your specific needs in the following 3 sections. Using these ready to consume solutions will accelerate your time to market IoT(Internet of Things) requirements.

Remote Monitoring – Connect and monitor your devices to analyze untapped data and improve business outcomes by automating processes. For ex: As a car manufacturing company, provide an option to customer to remotely monitor their car condition, and suggest if they need a re-fuel or oil change.

Predictive Maintenance – Connect and monitor your factory industrial devices for insights using OPC UA to drive operational productivity. For ex: As a car service support, you can get near real-time performance data from the cars manufactured by your company, predict the health of each components in a car and offer timely maintenance to their cars. Send real-time reminders and notifications to customers. Their by ensuring higher satisfaction levels for customers and more business value to the organization as it attracts more sales and good customer feedback.

These solutions will help you to:

Connect and scale quickly – Use preconfigured solutions, and accelerate the development of your Internet of Things (IoT) solution.

The Identity of Things (IDoT) is an area involves assigning universal unique identifiers (UUID) with associated metadata to devices and objects (things), to identify, connect and communicate effectively with other machines over the internet or within constrained local network.

The metadata included with the UUID characterizes the identity of an endpoint. Identity is an essential part of the Internet of Things (IoT), in which nearly anything conceivable can be tended to and organized for exchange of information on the web. In this specific cases, a thing can be anything – including both physical and sensible articles – that has a specific own identifier and the capacity to exchange information over a network.

Addressability and Reachability makes it possible for things/devices to be targeted and found. To make it addressable for the Internet of Things, a thing must be globally uniquely identifiable(no other thing with same identity).

To make communication among things effective and secure, following are some of the essential considerations for identities of things:

Maintaining a Lifecycle: IoT Devices should be capable of maintain a lifecyle depending on the use and duration of sustainability of the device. Hence IDoT should be capable of maintaining a history of changes happening to the device over its lifespan.

Maintaining Relationships:Identify also should provide a basic necessity to relate the device to other devices in the context as well as

Context-awareness: Identity and access management (IAM) for IoT entities should be context aware and grant access only limited to a specific context as required. This would avoid exploitation of devices incase of any cyber attack.

Adequate Authentication: provide means of securely authenticating IoT identities. This would ensure only authenticated entities can gain access to the IoT device.

All these essential features should help in obtaining a unique naming standards for IoT devices or projects in your organization.

The Internet of things (IoT) is the inter-networking of physical devices, vehicles (also referred to as “connected devices” and “smart devices”), buildings, and other items embedded with electronics, software, sensors, actuators, and network connectivity which enable these objects to collect and exchange data.

The IoT allows objects to be sensed or controlled remotely across existing network infrastructure, creating opportunities for more direct integration of the physical world into computer-based systems, and resulting in improved efficiency, accuracy and economic benefit in addition to reduced human intervention.

“ Forecasts show an expected IoT universe with between 20 and 30 billion connected devices by 2020 “

MQTT(Message Queueing Telemetry Transport)- or MQ Telemetry Transport is a lightweight connectivity protocol geared for IoT applications. It is based on the TCP/IP stack which uses the publish/subscribe method for transportation of data. It is open-ended and supports a high level of scaling, which makes it an ideal platform for development of Internet of Things (IoT) solutions.

HTTP/2 – Enables a more efficient use of network resources and a reduced perception of latency by introducing header field compression and allowing multiple concurrent exchanges on the same connection.

CoAP(Constrained Application Protocol) – CoAP is a web transfer protocol based on the REST model. It is mainly used for lightweight M2M communication owing to its small header size. It is designed especially for constrained networks and systems withing the Internet of Things paradigm, hence the name, Constrained Application Protocol.CoAP mimics HTTP in terms of user visibility, and from that standpoint, reading sensor values is essentially like making an HTTP request.

Provides a rich set of features through Device Management capability. Includes individually enable/disable or provision new device. Change security keys as needed. View/identify individual device problems easily.

Does not provide individual performance metrics. Can provide only a high level aggregated metrics only.

Scalability

Scalable to thousands/millions of simultaneous devices

Limited number of simultaneous connections up to 5000 connections per Azure Service Bus Quotas. Event Hub provides a capability to partition your message to channel it in to associated Service Bus quotas.

SDK Support/ Developer Support

Provides very good Integration SDK and developer support. Both Azure IoT Device SDK and IoT Gateway SDK are the most essential kits provided for almost all devices/OS platforms. It also support all the latest programming languages such as C#, Node.js, Java and Python. Also provides direct MQTT, AMQP and REST based HTTP APIs. Very detail oriented documentation provided.

.NET, Java and C apart from protocols such as AMQP, HTTP API interfaces.

Files/Images Upload Capability

Supports IoT devices/solutions to upload files/images/snapshots to cloud and define a workflow for processing them.

Not Available

Message Routing

Very decent message routing capability is available out of the box. Up to 10 end points can be defined and Advanced Rules can be defined on how routing should occur.

Requires additional programming and hosting to support as per the need.

From this comparison table, you can analyse that IoTHub is the right candidate for your IoT solution needs, as Event Hub lacking certain capabilities that are essential for an IoT Ingestion point. If you are only requiring to send messages to cloud and doesn’t require any fancy stuff as IoTHub provides, you can choose Event Hub.

Remember with more power comes more responsibility, that’s what IotHub intend to provide to you.

Hope this overview was helpful. Please feel free to comment or initiate a discussion any time. Please share your feedbacks on this article as well.

“In learning you will teach, and in teaching you will learn.” -Phil Collins

About

Nithin Mohan – A passionate hardcore application programmer, software architect, and technology evangelist with over 13 years of experience in Web, Mobile, and Cloud applications design and development.
A hardware geek, a kick-starter, and a quick learner.

Disclaimer:
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way. This blog is to share knowledge, tips & tricks on software development using Emerging Technologies. Thanks to the readers and sincere thanks to all author's of crossposted blogs. Blog is powered by theme gitsta, customized for this blog. Enjoy reading the blog and subscribe to the RSS feed.